IPA/AD Trust Authentication
Active Directory (AD) Trust Authentication on the Appliance is supported with External Authentication to IPA.
In this guide we will cover how to manually configure an Appliance’s external authentication to work with AD Trust Authentication using IPA. This provides IPA Users access to the Appliance Administrative UI and the REST API using their AD credentials.
Requirements
The following is needed in order to enable AD Trust Authentication to the Appliance:
-
A CentOS/RHEL 7.2 based MiQ Appliance
-
Windows Server 2008 R2 or later with configured AD DC and DNS installed locally on the DC
Set up and configure an IPA server for AD Trust Authentication
-
Configure an IPA Server based on FreeIPA 3.3.3 or later
Instructions for setting up and configuring cross-realm trust between an IPA domain and an AD (Active Directory) domain can be found at freeipa.org Active Directory Trust Setup
-
Add necessary user attributes to the SSSD configuration on the IPA server
The SSSD configuration file on the IPA Server must be updated to list needed user attributes.
Add the following entry to the SSSD configuration file /etc/sssd/sssd.conf
[ifp]
user_attributes = +mail, +givenname, +sn, +displayname
-
DNS Configuration Significance
Special care should be made when configuring DNS as improper DNS configurations can result in poor performance and improper functionality. For more details refer to the following documents:
Enable the MiQ Appliance to use the configued IPA server
Use the Appliance Console to enable external authentication to the IPA Server.
-
Log in to console as root
-
Run appliance_console
-
Summary screen should show External Auth as not configured, Press any key
-
From the Advanced Setting menu, select the menu item Configure External Authentication (httpd)
-
Enter the FQDN of the IPA Server, i.e. ipaserver.test.company.com
-
Enter the IPA Server domain, i.e. test.company.com
-
Enter the IPA Server realm, i.e. TEST.COMPANY.COM
-
Press enter to select the default IPA Server Principal, i.e. admin
-
Enter the Password of the IPA Server Principal
-
Review details, and Enter y to proceed.
Configure the MiQ appliance to use external authentication
Log in to the MiQ appliance as admin, then in Settings→Configuration→Server→Authentication
-
Set mode to External (httpd)
-
Check: Get User Groups from External Authentication (httpd)
-
Optionally Check: Enable Single Signon
-
Click Save.
The above steps need to be done on each UI and WebService enabled appliance.
in Settings→Configuration→Access Control
-
Make sure the user’s groups are created on the Appliance and appropriate roles assigned to those groups.
Create groups on the MiQ appliance
The below steps need to be done on each UI and WebService enabled appliance.
Log in to the MiQ appliance as admin, then in Settings→Configuration→Access Control→Groups→Configuration→Add a new Group
-
Check: (Look Up LDAP Groups)
-
Enter the AD user as the User to Look Up i.e. ipauser@ipaserver.test.company.com
-
Click Retrieve.
-
Choose a group from the LDAP Groups for User dropdown.
-
Assign the appropriate roles to the group
-
Click Add.
Use AD Trust Authentication
Once the above is done, the user simply needs to specify their AD Username and Password when:
-
Logging into the Appliance Administrative UI
-
Accessing the REST API
-
Using the Self Service UI
-
Using the Single Sign On (SSO) to access the MiQ appliance after generating a Kerberos ticket by using kinit with AD credentials.